HTTP Request Smuggling Affecting python-aiohttp package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-PYTHONAIOHTTP-5802379
- published 22 Jul 2023
- disclosed 19 Jul 2023
Introduced: 19 Jul 2023
CVE-2023-37276 Open this link in a new tabHow to fix?
There is no fixed version for Debian:11 python-aiohttp.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-aiohttp package and not the python-aiohttp package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.
References
- https://security-tracker.debian.org/tracker/CVE-2023-37276
- https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules
- https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
- https://hackerone.com/reports/2001873